WAF rule on query strings

I am wanting to block bots from calling add-to-cart on my Woocommerce site. I made this WAF rule: (http.request.uri.query contains “add-to-cart”)

So it blocks queries like /?add-to-cart=864, which I want. And it works great.

However I notice it does let through more complex queries where the query string is at the end of the url like /product-category/subscription/?add-to-cart=30380

That is fine. I like that it ignores those query strings as they are valid. But on my site it is never valid to have that query string as the first thing in the url.

I’m curious why (http.request.uri.query contains “add-to-cart”) does not block /product-category/subscription/?add-to-cart=30380 as there is a query string in the request. Does that rule only block a request if the query is at the beginning of the url?

Do you maybe have any other Rules that lead to the second request being allowed?

I have created the following rule: (http.request.uri.query contains "add-to-cart")
This leads to both paths that you mentioned being blocked, check:

https://test.laudian.de/product-category/subscription/?add-to-cart=30380 (blocked)
https://test.laudian.de/?add-to-cart=864 (blocked)
https://test.laudian.de/?whatever  (not blocked)

The only other WAF rule I have is:
(http.host ne "mysite.com" and http.host ne "www.mysite.com")

I found a WAF that works:

(http.request.uri.query contains "add-to-cart" and not http.request.uri.path contains "product-")

Every url on my site that has ?add-to-cart will always start with product-. So I only block the ?add-to-cart query string if the url does not contain product-

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.